diff options
| author | Shai Berger <shai@platonix.com> | 2022-08-24 12:38:22 +0300 |
|---|---|---|
| committer | Carlton Gibson <carlton@noumenal.es> | 2022-09-07 11:08:43 +0200 |
| commit | 42cd8c390d5f165fd7f6bbdffafd2aa4c2d9a32a (patch) | |
| tree | 4b8f4bf910507889f542c022f9342880c89840d5 /docs/ref/django-admin.txt | |
| parent | 19e838daa8872ee29fbea0bc471c2a6443f26835 (diff) | |
Fixed #33986 -- Hardened binary lookup in template commands.
Made template commands look up formatters before writing files.
This makes sure files included in the template are not identified
as executable formatter commands, even in case the template is
rendered into the system path (as might easily happen on Windows,
where the current directory is on the system path by default).
While at it, Warned about trusting custom templates for
startapp/startproject.
Thanks Trung Pham of Viettel Cyber Security for reporting the issue,
Django Security Team for discussions, and Adam Johnson and
Carlton Gibson for reviews.
Diffstat (limited to 'docs/ref/django-admin.txt')
| -rw-r--r-- | docs/ref/django-admin.txt | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/docs/ref/django-admin.txt b/docs/ref/django-admin.txt index e27ff96eda..af27e0afb5 100644 --- a/docs/ref/django-admin.txt +++ b/docs/ref/django-admin.txt @@ -1362,6 +1362,19 @@ files is: byte-compile invalid ``*.py`` files, template files ending with ``.py-tpl`` will be renamed to ``.py``. +.. _trusted_code_warning: + +.. warning:: + + The contents of custom app (or project) templates should always be + audited before use: Such templates define code that will become + part of your project, and this means that such code will be trusted + as much as any app you install, or code you write yourself. + Further, even rendering the templates is, effectively, executing + code that was provided as input to the management command. The + Django template language may provide wide access into the system, + so make sure any custom template you use is worthy of your trust. + ``startproject`` ---------------- @@ -1418,8 +1431,9 @@ The :class:`template context <django.template.Context>` used is: - ``docs_version`` -- the version of the documentation: ``'dev'`` or ``'1.x'`` - ``django_version`` -- the version of Django, e.g. ``'2.0.3'`` -Please also see the :ref:`rendering warning <render_warning>` as mentioned -for :djadmin:`startapp`. +Please also see the :ref:`rendering warning <render_warning>` and +:ref:`trusted code warning <trusted_code_warning>` as mentioned for +:djadmin:`startapp`. ``test`` -------- |